Jumbo Hotfix Accumulator for R80.10 (R80_10_jumbo_hf)

Solution ID	sk116380
Product	Security Gateway, VSX, Security Management, Multi-Domain Management / Provider-1, SmartEvent / Eventia Analyzer
Version	R80.10
OS	Gaia
Date Created	06-Jun-2017
Last Modified	18-Jan-2018

Solution

Table of Contents:

Introduction
Availability
Important Notes
List of resolved issues per HotFix
Installation instructions
Uninstall instructions
List of replaced files
Revision History

Collapse the Entire Article

Introduction

R80.10 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues in different products.
This Incremental Hotfix and this article are periodically updated with new fixes.
The list below describes each resolved issue and provides a Take number, in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). In addition, you can find the date when the take was published in the table below.
Refer to sk98028 - Jumbo Hotfix Accumulator FAQ.

Availability

Effective January 18th, 2018, the R80.10 image has been replaced with Take 462.
Only R80.10 Jumbo Hotfix Accumulator Take 70 and above can be installed on top of this R80.10 image Take 462.

General Availability Take
Take_56 is the latest General Availability release that can be directly downloaded from Check Point Cloud using CPUSE and from this article:

Take Date CPUSE offline
package SmartConsole package

Take_56 23 Nov 2017 (TGZ) (EXE)
- Effective Dec 12th 2017, the General Availability Take_56 is available for CPUSE online installation (it replaces Take_42).
- Effective January 7th, 2018, SmartConsole package has been updated (Build 024)
Ongoing Take

Take Date CPUSE Online Identifier SmartConsole package

Take_70 15 Jan 2018 Check_Point_R80_10_JUMBO_HF_Bundle_T70_sk116380_FULL.tgz (EXE)
- Contact Check Point Support to get this Ongoing Jumbo Hotfix Accumulator

Important Notes

Each of the Jumbo Hotfix Accumulator Takes is based on Check Point R80.10.
For CPUSE installation, CPUSE Agent build 1298 and above (refer to sk92449) must be used.
It is recommended to install Jumbo Hotfix Accumulator on all the R80.10 machines running on Gaia OS.
This Jumbo Hotfix Accumulator is suitable for these products and configurations:
- Security Gateway
- StandAlone
- Cluster
- VSX
- Security Management Server
- Multi-Domain Security Management Server
- Log Server
- Multi-Domain Log Server
- SmartEvent Server
- vSEC
This Jumbo Hotfix Accumulator has to be installed only after successful completion of Gaia First Time Configuration Wizard and reboot.
To check the Take number of the currently installed R80.10 Jumbo Hotfix Accumulator (if it is installed):
[Expert@HostName:0]# cpinfo -y all

List of resolved issues per HotFix

Enter the string to filter the below table:

ID	Product	Symptoms
R80.10 Jumbo HotFix - Ongoing Take 70 (15 Jan 2018)
TPM-494	Multi-Domain Security Management	Global policy assignment fails after removing staging overrides in the Global Domain.
PMTR-1458, 02659051	Multi-Domain Security Management	Attaching a central license from Multi-Domain Security Management to a Domain/CMA creates duplicate license objects in SmartUpdate, which cannot be deleted. Refer to sk120833.
API-146	Security Management	Enhancement: New flags to control the API commands output in full details level. Refer to sk121292.
API-124	Security Management	The "show-access-rulebase" API command fails if the rulebase contains rules with "Encrypt" or "Client Encrypt" action.
CPM-948	Security Management	There is no status in the SmartView Monitor for Mobile Access blade.
PMTR-2379	Security Management	querydb_util generates core file when cannot connect to Security Management server.
PMTR-2376	Security Management	fwm process is down during gateway creation after configuring shared secret for VPN community.
PMTR-2722	Security Management	After reboot or HA Full sync, some objects are not visible in a specific private session.
PMTR-712	Security Gateway	CPD process exits with core dump generated while stopping CPD / rebooting the system / restarting watchdog.
PMTR-1310	Security Gateway	Connections configured with Drop and Block message were actually dropped, but log appears as Accept log.
PMTR-1388	Security Gateway	Upon packet loss, the clients' retransmit "strategy" triggers an issue of reassembling the TCP stream incorrectly. The SSL stream cannot be decrypted like this, so the SSL session is closed. Refer to sk121738.
PMTR-2660, 02666905	Security Gateway	When DHCP is configured to work with VPN, DHCP Relay traffic is dropped.
PMTR-709	Logging	Enhancement: Allow viewing HTTPS related fields according to permission profile in LEA. When configuring a permission profile that allows HTTPS, you will be able to see the related fields when receiving them with LEA OPSEC client, instead of obfuscating them.
PMTR-1771, 02525352	Gaia	Gaia backup files are not created on Multi-Domain Management server. Refer to sk119401.
PMTR-2368	Gaia	Configuring more than 200 logical interfaces can cause routed to crash upon the next change in configuration.
PMTR-1442, 02554018	SmartLog	SmartConsole search does not work for strings that include non-English characters. For example, Cyrillic characters and characters with accent marks. Refer to sk120293.
PMTR-1224, 02562873	SmartLog	After performing a Gradual Upgrade of the Domain Management Server, no logs are displayed in the relevant domain until running the mdsstop;mdsstart commands on MLM.
TEX-412	Threat Extraction	Security enhancements for Data Loss Prevention and Threat Extraction blades
PMTR-1932, 02590986	Threat Emulation	Links inside email with domain suffix (e.g. www.example.com) are emulated as .com files.
PMTR-2891	Anti-Virus, Threat Emulation	Enhancement in Anti-Virus to allow replacement of Kaspersky Labs components. For removal instructions see sk118539. For further information visit http://www.checkpoint.com/kaspersky
PMTR-4787	DLP	The dlpu process crashes in some cases when DLP blade is enabled.
PMTR-1303	Mobile Access	Connection to internal sites or Capsule Docs server via Mobile Access Blade's Reverse Proxy feature fails due to an incorrectly forwarded 'Host' header.
PMTR-2089	Mobile Access	An incorrect policy installation warning "R80.10 gateways cannot be included in the Mobile Access Legacy Policy when Mobile Access Unified Policy is the selected policy source" is shown when installing the Access Control policy on a Mobile Access gateway and the legacy Mobile Access policy is empty.
PMTR-1183	URL Filtering	Enhancements in categorization in cases where only URL Filtering is enabled.
PMTR-2594	HTTPS Inspection	HTTPS based traffic is bypassed when using a category based HTTPS inspection rulebase on a SMB gateway without URL Filtering blade enabled.
R80.10 Jumbo HotFix - General Availability Take 56 (23 Nov 2017)
PMTR-683, 02648460	Security Management	Users that are not configured with Multi-Domain super user permissions, experience slowness in running queries.
PMTR-2697	Security Management	FWM process restarts when trying to read the $FWDIR/tmp/fwmtrace.log file from an incorrect directory where this file does not exist.
R80.10 Jumbo HotFix - Ongoing Take 53 (25 Oct 2017)
PMTR-1702	Security Management	Policy installation fails when Access Role is configured in the Access Control policy on a gateway with no Identity Awareness enabled.
SMCPOL-122	Security Management	When policy installation fails with "Operation incomplete due to timeout" error, timeout can be increased via GuiDBedit Tool. Refer to sk112353.
CPM-830	Security Management	FWM process crash in Management HA environment when $FWDIR/tmp/fwmtrace.log file reaches 2GB.
PMTR-738	Security Gateway	Cluster member IP addresses is not added correctly during policy generation.
PMTR-1421	Gaia OS	Outputs of "top" and "ps -aux" commands show lspci as zombie process. Refer to sk121891.
PMTR-330	DLP	Enhancement: Maximum allowed SMTP headers length can be configured. Refer to sk119293.
PMTR-332	DLP	Enhancement: Improved DLP stability.
GM-2855	SMB Appliances	Enhancement: IPv6 support for 700 / 1200R / 1400 SMB Appliances. Refer to sk118816.
R80.10 Jumbo HotFix - General Availability Take 42 (17 Sept 2017) Note: This Take replaces Take 40 released on 12 Sept 2017. It is recommended to install Take 42
GAIA-1060	Security Gateway	SIC status is "Not Communicating" and CPD process restarts after installing R80.10 Jumbo HotFix Take 40. Refer to sk120494.
UP-94, 02556604	Security Gateway	Websites with short Host headers (like ab.com) cannot be loaded.
TEX-328	Threat Extraction	Security gateway hangs when enabling Threat Extraction Web API.
TPM-373	Threat Prevention	The API command "show threat-profile" wrongly reports configuration of internal settings which causes failure in certain scenarios.
PMTR-748	Anti-Virus, Anti-Bot	Crash in Anti-Virus & Anti-Bot blades.
CPM-806	Security Management	Policy installation fails on DAIP gateways after changing Domain Server from Standby to Active.
PMTR-464	Security Management	After upgrade to R80.x, Administrator's "email" field does not show in SmartConsole.
PMTR-466	Security Management	Rulebase initialization fails after CMA migration from R77.30 to R80.10 via cma_migrate.
TPM-419	Management Console	After a period of time in which multiple IPS updates have been performed, the database size can become very large because of unused data. Enhancement: new procedure to clean old / unused IPS version in the database
TPM-334	Management Console	Geo policy allows to configure several rules for the same country, causing incorrect policy enforcement.
PMTR-631	SmartEvent	In SmartEvent policy, when selecting two 'Event Fields' with the same 'Log Field' in 'Event Format' tab, the Event fails to generate.
PMTR-625	SmartEvent	When automatic reaction mail is sent, the resolving name of source and destination is missing and only the source and destination IP address is shown.
PMTR-655	SmartEvent	When automatic reaction email is sent, wrong "Start time" is displayed.
R80.10 Jumbo HotFix - Take 37 (04 Sept 2017)
PMTR-397	Security Gateway	export_p12 feature is missing in VPN utilities.
PMTR-418	Security Gateway	Security Gateway / Active cluster member freezes / locks up randomly. Refer to sk114977.
PMTR-454	Security Gateway	Login to Smart Console fails with "The server did not provide a meaningful replay; This might be caused by a contract mismatch, a Premature session shutdown or an internal server error" error.
PMTR-469	Security Gateway	FWM process consumes high CPU in case of unreachable DAIP objects existing in the system.
PMTR-458	Security Gateway	Enhancement: Performance of Global Domain Assignment for Open Servers with 9-24 GB memory is improved.
PMTR-473	Security Gateway	Enhancement: Improved Security Gateway stability when it is configured as proxy.
BS-175	Security Gateway	Some objects are missing when querying for unused objects.
SL-441	Security Gateway	In environment with more than 50 Log servers, log queries return results only from 50 log servers.
GAIA-634	Gaia OS	Enhancement: Improved clish stability.
CPM-792	Security Management	Log Server status in Monitoring view is not presented for cluster members of Full HA environment.
CPM-734	Multi-Domain Security Management	Global policy assignment fails after section manipulation in the Global Domain's rulebase.
BS-149	Multi-Domain Security Management	Policy installation from Multi-Domain Management following a Threat policy uninstall, fails.
API-99	Management Console	Security Management API server fails under heavy load. Refer to sk119553.
API-92	Management Console	API "show-packages" (when set to "details-level" : "full") fails where the revision in one of the package’s installation targets has been purged from the database.
API-93	Management Console	If object is used inside a disabled rule, the "where-used" Security Management API command shows that the rule is enabled.
API-94	Management Console	Reply to Security Management API "show-gateways-and-servers" misspells the name of the "identity-awareness" blade as "identical-awareness".
API-88	Management Console	Under certain conditions, after restarting Security Management Server, the API server, although configured to accept requests from GUI clients, no longer does so, but reverts to the default behavior of accepting only calls from the local host.
R80.10 Jumbo HotFix - General Availability Take 35 (22 Aug 2017)
MAGB-27, MAGB-28	Mobile Access	Improved stability of Mobile Access WebMail application.
PMTR-172	Security Gateway	Security hardening for Client Authentication portal.
CPM-534	Security Management	migrate_global_policies and cma_migrate commands can run when processes are down.
PMTR-436	Security Management	Long duration of policy installation for large number of NAT rules.
CPM-665	Security Management	Performance improvements.
DP-1079	Check Point Appliances	"Can't validate base version is a GA take of R80.10" error message when installing Jumbo Hotfix Accumulator Take 24 on 405 / 410 appliances.
R80.10 Jumbo HotFix - General Availability Take 24 (01 Aug 2017)
PMTR-290	Application Control	Support for user-defined application with encoded escaped characters within the URL.
GAIA-760	Gaia OS	BGP does not work for VTIs and Point-to-Point interfaces with mask length of 32 with Virtual IPs.
TEX-329	DLP, Threat Extraction	Security enhancements for Data Loss Prevention and Threat Extraction blades.
02559994, PMTR-385	SmartLog	On Open Servers with 24G-35G of RAM running R80.10 Jumbo Hotfix (Take 10/15/18) logs are not indexed and SmartLogs queries fail.
R80.10 Jumbo HotFix - General Availability Take 18 (24 July 2017)
ACM-520	Application Control	Improved Policy Verification for Pre-R80.10 Security Gateways that support only services of type "TCP" or ‎"UDP" in the Application Control layer.
02522974, PMTR-100	Identity Awareness	Improved Access Role identification for different login/logout scenarios.
02524894, PMTR-99	Security Management	Automatic NAT rule is not removed after the corresponding network object is removed.
02521459, GM-2678	Security Management	Policy installation fails in some cases when installing policy on all managed Security Gateways at once, if Security Management manages both standard Security Gateways and UTM-1 Edge devices.
R80.10 Jumbo HotFix - General Availability Take 15 (11 July 2017)
02536538, PMTR-147	Security Gateway	Improved URL recognition mechanism for Anti-Virus, Anti-Bot, and URL Filtering blades.
PMTR-44	vSEC	vSEC objects are not enforced on part of the gateways. Problem is relevant only for large scale environment with more than 50 gateways/cluster/vs/member.
PMTR-45	vSEC	In large scale Azure environments, Data Center objects are partialy imported.
PMTR-167	SmartView	Security hardening of SmartView.
02539824, PMTR-164	Security Management	Security Management access hardening.
R80.10 Jumbo HotFix - General Availability Take 10 (28 June 2017)
02530810	Smart-1	Added support for Smart-1 405 / 410 appliances. Refer to sk117578.
02524737, PMTR-88	VSX	Wrong license status for 'Virtual Systems' blade for VSX objects in R80 SmartConsole.
R80.10 Jumbo HotFix - Take 7 (22 June 2017)
02528737, 02529416, 02533097, CPM-535	Multi-Domain Security Management	Several cpsm-domains-X licenses are counted only once. Refer to sk118316.
02520574, CPM-462	Multi-Domain Security Management	Upgrade failure of secondary Multi-Domain Log Server when using NGX license.
02520796, CPM-460	Multi-Domain Security Management	mds_import fails with "CPM server failed to start, see server logs" message when trying to import a database exported from R80.10 Multi-Domain Management Server.
02524769, PMTR-87	Security Management	While updating a User name, the logged in User name in the logs is wrongly reported with the old User name.
02449460, CPM-465	Security Management	Management High Availability synchronization between primary server upgraded from R80 Jumbo Hotfix to R80.10 and new R80.10 secondary server, fails.
02532395, ACM-335	Security Management, Security Gateway	Security rules that should be installed on a specific Security Gateway wrongly can be installed on another R80.10 Security Gateway. Refer to sk118153.
02526608, PMTR-81	Security Gateway	Improved non-compliant HTTP protection to enforce more rare cases of non-compliant HTTP traffic.
02523046, PMTR-47	Security Gateway	in.emaild.mta process may crash randomly (once every few days was observed) when the Security gateway is configured as Mail Transfer Agent (MTA). Mails under inspection may be delayed by up to a few minutes.
02513631, PMTR-96	IPS	When an IPS protection is overridden, it is enforced correctly however it may cause higher performance load.
PMTR-98	SmartConsole	Translated Source column with "Original" object wrongly has a Hide NAT option.
R80.10 Jumbo HotFix - General Availability Take 3 (06 June 2017)
02521398	Threat Emulation	Fixed Mail Transfer Agent (MTA) enforcement issue.

Installation instructions

Procedure:

Show / Hide instructions for installation in Gaia Portal - using CPUSE (Check Point Update Service Engine)
- Offline installation
  Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
  1. Install the latest build of CPUSE Agent from sk92449.
  2. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
  3. In the upper right corner, click on the Import Package button.
  4. In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Import.
  5. Above the list of all software packages, click on the Showing Recommended packages button - select All.
  6. Select the imported package Check Point R80.10 Jumbo hotfix T<number> for sk116380 - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
  7. Select this package and click on Install Update button on the toolbar.
Show / Hide instructions for installation in Gaia Clish - using CPUSE (Check Point Update Service Engine)
For detailed installation instructions, refer to CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".
- Offline installation
  Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
  1. Install the latest build of CPUSE Agent from sk92449.
  2. Connect to command line on target Gaia OS.
  3. Log in to Clish.
  4. Acquire the lock over Gaia configuration database:
    HostName:0> lock database override
  5. Import the package from the hard disk:
    Note: When import completes, this package is deleted from the original location.
    HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
  6. Show the imported packages:
    Note: Refer to the top section "Hotfixes" - refer to "Check Point R80.10 Jumbo hotfix T<number> for sk116380"
    HostName:0> show installer packages imported
  7. Verify that this R80 Jumbo Hotfix Accumulator package can be installed without conflicts:
    HostName:0> installer verify <Package_Number>
  8. Install the imported package:
    HostName:0> installer install <Package_Number>

Uninstall instructions

Important Note: This Jumbo Hotfix Accumulator removes all its packages during uninstall.

Procedure:

Show / Hide instructions for uninstall in Gaia Portal - using CPUSE (Check Point Update Service Engine)
1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
  Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
2. Connect to the Gaia Portal on your Gaia machine and navigate to the 'Upgrades (CPUSE)' section - click on 'Status and Actions'.
3. Above the list of all software packages, click on the 'Showing Recommended packages' button - select 'All'.
4. Right-click on the Jumbo Hotfix Accumulator package - click on 'Uninstall'.
5. A warning will be displayed that after this uninstall, the machine will be automatically rebooted.
  Click on 'OK' to start the uninstall.
Show / Hide instructions for uninstall in Gaia Clish - using CPUSE (Check Point Update Service Engine)
1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
  Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
2. Connect to command line on Gaia OS.
3. Log in to Clish.
4. Acquire the lock over Gaia configuration database:
  HostName:0> lock database override
5. Uninstall the package:
  HostName:0> installer uninstall <Package_Number>
  Note: The progress (in per cent) will be displayed in Clish.
6. Machine will be rebooted automatically.

List of replaced files

List of files replaced by this Jumbo Hotfix Accumulator can be provided upon request by Check Point Support.

Revision History

Show / Hide revision history

Date	Description
15 Jan 2018	Released Take 70 of R80.10 Jumbo Hotfix Accumulator
18 Dec 2017	Added R80.10 SmartConsole Build 013
12 Dec 2017	Take 56 of R80.10 Jumbo Hotfix Accumulator is now in General Availability
23 Nov 2017	Released Take 56 of R80.10 Jumbo Hotfix Accumulator
07 Nov 2017	Added CPUSE Online Identifier of Take 53
25 Oct 2017	Released Take 53 of R80.10 Jumbo Hotfix Accumulator
24 Sep 2017	Added note regarding CPUSE Agent build 1298
18 Sep 2017	Added reference to sk120494
17 Sep 2017	Released Take 42 of R80.10 Jumbo Hotfix Accumulator
12 Sep 2017	Released Take 40 of R80.10 Jumbo Hotfix Accumulator
04 Sep 2017	Released Take 37 of R80.10 Jumbo Hotfix Accumulator
22 Aug 2017	Released Take 35 of R80.10 Jumbo Hotfix Accumulator
09 Aug 2017	Added note regarding SmartConsole Build 005
01 Aug 2017	Released Take 24 of R80.10 Jumbo Hotfix Accumulator
27 July 2017	Added the following notes: SmartConsole for R80.10 Jumbo Hotfix Accumulator can be used to manage R80.10 GA Take 421 Security Gateways / Management Server. R80.10 GA SmartConsole can be used to manage R80.10 Security Gateways / Management Server with installed R80.10 Jumbo Hotfix Accumulator.
24 July 2017	Released Take 18 of R80.10 Jumbo Hotfix Accumulator Released updated R80.10 SmartConsole for R80.10 Jumbo Hotfix Accumulator (for Take 7 and above)
19 July 2017	Added an important note that to check the Take number of the installed R80.10 Jumbo Hotfix Accumulator, user should run the "`cpinfo -y all`" command
11 July 2017	Released Take 15 of R80.10 Jumbo Hotfix Accumulator
28 June 2017	Released Take 10 of R80.10 Jumbo Hotfix Accumulator
22 June 2017	Released Take 7 of R80.10 Jumbo Hotfix Accumulator
06 June 2017	First release of R80.10 Jumbo Hotfix Accumulator (Take 3)

Give us Feedback

Dhansham - Engineer's Notebook Checkpoint Firewalls Gaia

2

Saturday, January 27, 2018